GOVRAT V2.0

Recommendations

Info

GOVRAT V2.0 ATTACKING US MILITARY AND GOVERNMENT THE LIFECYCLE OF GOVRAT V.2 Reconnaissance • Contact Gathering • WEB-apps Malware Build • Agent-based • Signed Code • LPE Exploit Stage 1 - Infection Attack Vectors • Drive-by (RIG 3.0 + Neutrino) Stage 2 - Worm Attack Vectors • Network Shares • USB Flash In the closed underground forum, “Hell Forum” on the TOR network, the bad actor is still using his old nickname “bestbuy,” has VIP status, and is selling a variety of tools for cyber espionage campaigns using the same alias, along with several new nicknames on “The Real Deal Market.” This link was used as one of the key elements in the attribution of this bad actor: Some of the bad actor’s posts in the same marketplace are still being published on behalf of bestbuy. GovRAT v2 has a fairly advanced network password sniffer and password dumper that is used for further data exfiltration and is spreading via available network resources and connected external devices, such as USB flash drives (worm feature). 4
GOVRAT V2.0 ATTACKING US MILITARY AND GOVERNMENT WHAT IS THE “HELL FORUM”? According to our sources, on June 17, 2015, 33 year-old “Ping,”, a former owner of the “Hell Forum,” was arrested. He was mentioned in a number of media reports from the Calgary Police Department and the story was covered by the Calgary Herald. The arrest was announced just days after Fox News quoted a security researcher about the suspected OPM data on the Hell Forum. According to closed sources, Ping was also responsible for hacking into another federal system in 2013.. In January 2016, the underground forum reemerged with new administrators. The forum improved the procedure for inviting new members by implementing an internal vouching system. One of the posts was quoted as follows: “Don’t worry about anything regarding LE [law enforcement], NSA and others. If you suspect anyone to be LE please let us know so that we can take proper action against them since this is not a place for them.” At present, Hell Forum is one of the tightest and most closed underground communities in the TOR network, where serious cybercriminals exchange information about data leaks, new vulnerabilities and private tools for sale. The group under investigation is based on key members of “Hell Forum.” Several of these individuals are known as professional hackers for hire, such as ROR[RG], who previously hacked Ashley Madison and AdultFriendFinder. He also stole the personal information of 72,000,000 Turkish citizens from MERNİS (Turkey’s citizenship number system), and claimed to have 17.8GB of data from a Turkish Police server, supposedly stolen from the Turkish General Directorate of Security (EGM). 5
Page 1 and 2: GOVRAT V2.0 ATTACKING US MILITARY A
Page 3: GOVRAT V2.0 ATTACKING US MILITARY A
Page 21: 800 789 2720 / ATI.INFOARMOR.COM IA

GOVRAT V2.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?